The Origin of Armitage’s Hail Mary Mass Exploitation Feature

July 17, 2013

Several times now, an author has introduced Armitage, and the main value add to the hacking process that they emphasize is the “devastating” Hail Mary attack. I’m most proud of Armitage’s red team collaboration capability–it’s why I built the tool in the first place. The Hail Mary attack? Meh. That said, I’d like to share with you how the Hail Mary attack came to be.

I released Armitage in late November 2010. In a December 2010 PaulDotCom episode, Larry reviewed Armitage. I’m a PaulDotCom fan and so I was very excited to watch this. He tried out an Armitage menu that launched the now defunct db_autopwn and a lot of the conversation in that review centered around the poor behavior of that particular feature.

For those that don’t remember, db_autopwn is a former Metasploit Framework feature to automatically launch exploits against everything in the database. The feature was never very smart though. You could opt to launch exploits based on open service or imported vulnerabilities. If you launched by open service, db_autopwn would unleash every exploit that matched each open service. It didn’t attempt to order the exploits or stagger them in a smart way, it just launched them. More amusingly, it didn’t discriminate at all, the db_autopwn feature would launch exploits for all operating systems against each open service.

The Armitage menu item to launch db_autopwn was called the Hail Mary. Why? Because, in my mind, you would only use db_autopwn as a desperate measure.

For all of the things brought up during the review, db_autopwn’s weaknesses were the thing I decided to address right away.

I opted to make an intelligent auto-exploitation feature. The algorithm is pretty basic:

For each host, map open services to Metasploit Framework exploits

Remove exploits that do not meet a minimum reliability criteria

Remove exploits that do not match the host’s operating system

Sort the exploits by reliability first and date of release second. The newest and most reliable exploits should fire first.

Launch it!

There’s no real magic to the above algorithm. Even though this algorithm is smarter than db_autopwn, I kept the name Hail Mary to reflect my feelings on this kind of attack. The Hail Mary is not a precision strike. It’s a blunt instrument. It’s loud and there’s not a lot of room for configuration. Push the button and see what happens.

My attack process doesn’t have a place for a Hail Mary-like feature, but I’ve heard some people use it to test their IDS or create noise. Here’s an old video with this attack in action:

db_autopwn was removed from the Metasploit Framework in late 2011. Funny, I’ve run into people who have kept a second install of Metasploit around just to continue to have access to this feature.

With the constant emphasis on the Hail Mary, maybe there are more folks who miss db_autopwn than I thought?